Content for TS 33.222 Word version: 17.1.0
4 Overview of the Security Architecture
5 Authentication schemes
6 Use of Authentication Proxy
A Technical Solutions for Access to Application Servers via Authentication Proxy and HTTPS
B Guidance on Certificate-based mutual authentication between UE and application server
C Considerations for GBA security using a web browser and Javascript
D Security measures for usage of GBA with a web browser
$ Change history
4 Overview of the Security Architecture Word‑p. 8
5 Authentication schemes Word‑p. 9
5.1 Reference model Word‑p. 9
5.2 General requirements and principles Word‑p. 9
5.2.1 Requirements on the UE Word‑p. 9
5.2.2 Requirements on the NAF Word‑p. 9
5.3 Shared key-based UE authentication with certificate-based NAF authentication Word‑p. 10
5.3.0 Procedures |R11| Word‑p. 10
5.3.1 TLS profile Word‑p. 11
5.3.1.0 General |R11| Word‑p. 11
5.3.1.1 Protection mechanisms Word‑p. 12
5.3.1.2 Void
5.3.1.3 Authentication of the AP/AS Word‑p. 12
5.3.1.4 Authentication Failures Word‑p. 12
5.3.1.5 Set-up of Security parameters Word‑p. 12
5.3.1.6 Error cases Word‑p. 12
5.4 Shared key-based mutual authentication between UE and NAF Word‑p. 13
5.4.0 Procedures |R11| Word‑p. 13
5.4.1 TLS Profile Word‑p. 15
5.4.1.0 General |R11| Word‑p. 15
5.4.1.1 Protection mechanisms Word‑p. 16
5.4.1.2 Authentication of the AP/AS Word‑p. 16
5.4.1.3 Authentication Failures Word‑p. 16
5.4.1.4 Set-up of Security parameters Word‑p. 16
5.5 Certificate based mutual authentication between UE and application server Word‑p. 16
5.5.1 General |R7| Word‑p. 16
5.5.2 TLS Profile |R7| Word‑p. 16
6 Use of Authentication Proxy Word‑p. 18
6.1 Architectural view Word‑p. 18
6.2 Requirements and principles Word‑p. 19
6.4 Reference points Word‑p. 20
6.4.1 Ua reference point Word‑p. 20
6.4.2 AP-AS reference point Word‑p. 20
6.5 Management of UE identity Word‑p. 20
6.5.1 Granularity of Authentication and Access Control by AP Word‑p. 20
6.5.1.1 Authorised Participant of GBA Word‑p. 20
6.5.1.2 Authorised User of Application Word‑p. 21
6.5.2 Transfer of Asserted Identity from AP to AS Word‑p. 21
6.5.2.1 Authorised Participant of GBA Word‑p. 21
6.5.2.2 Authorised User of Application Anonymous to AS Word‑p. 21
6.5.2.3 Authorised User of Application with Transferred Identity asserted to AS Word‑p. 21
6.5.2.4 Authorised User of Application with Transferred Identity asserted to AS and Check of User Inserted Identity Word‑p. 22
A Technical Solutions for Access to Application Servers via Authentication Proxy and HTTPS Word‑p. 23
B Guidance on Certificate-based mutual authentication between UE and application server Word‑p. 24
C Considerations for GBA security using a web browser and Javascript |R12| Word‑p. 25
C.1 Usage Scenario Word‑p. 25
C.2 Threats Word‑p. 25
C.3 Control of GBA Credentials and GBA Module in the UE Word‑p. 26
C.3.1 General Word‑p. 26
C.3.2 Control Mechanism 1- Same Origin Authentication Tokens Word‑p. 26
C.3.3 Control Mechanism 2 - Server Authenticated TLS Word‑p. 26
C.3.4 Control Mechanism 3 - Channel Binding Word‑p. 26
C.3.5 Control Mechanism 4 - Key Usage Word‑p. 26
C.4 Security Considerations Word‑p. 27
C.4.1 General Scripting Security Considerations Word‑p. 27
C.4.2 GBA key control Word‑p. 27
C.4.3 User grants Word‑p. 27
C.4.4 Root CAs in Browser Word‑p. 27
D (Normative) Security measures for usage of GBA with a web browser |R12| Word‑p. 29
D.1 Extension of Protocol Mechanism used on Ua Reference Point Word‑p. 29
D.1.1 General Word‑p. 29
D.1.2 Key derivation Word‑p. 29
D.1.3 Channel binding Word‑p. 29
D.1.3.1 Background Word‑p. 29
D.1.3.2 Channel binding using RFC 5705 and RFC 5929 Word‑p. 30
D.2 Sequence flow Word‑p. 30
D.2.1 Sequence flow with channel binding Word‑p. 30
D.3 Javascript GBA API description Word‑p. 34
D.3.1 GBA API Description Word‑p. 34
D.3.2 API usage Word‑p. 35
$ Change history Word‑p. 36
